>>>
>>>
>>>
>>>
>>> >> class="org.apache.geronimo.security.credentialstore.SimpleCredential
>>> St
>>> oreImpl">
>>>
>>> >> xmlns="http://geronimo.apache.org/xml/ns/credentialstore-1.0">
>>>
>>>
>>>
>>> test-system
>>>
>>>
>>> org.apache.geronimo.security.credentialstore.NameCallbackHandl
>>> er
>>>
>>> ananner
>>>
>>>
>>>
>>> org.apache.geronimo.security.credentialstore.PasswordCallbackH
>>> an
>>> dler
>>> password
>>>
>>>
>>>
>>>
>>>
>>>
>>> ----------
>>>
>>>
>>>
>>> David Jencks wrote on 07-18-2007
>>> 03:57:36 AM:
>>>
>>>> run-as handling is completely different in 2.0. Instead of
>>>> constructing a subject out of xml, the run-as subject comes from
>>>> logging into a login module just like any other subject. You
>>>> have to
>>>> do several things:
>>>>
>>>> -- set up a security realm so the desired subject can in fact be
>>>> created by logging in as someone
>>>> -- set up a gbean that describes how to login as this subject,
>>>> such as
>>>>
>>>> >>> class="org.apache.geronimo.security.credentialstore.SimpleCredentia
>>>> lS
>>>> tor
>>>> eImpl">
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> default
>>>>
>>>>
>>>> org.apache.geronimo.security.credentialstore.NameCallbackHand
>>>> le
>>>> r
>>>> type>
>>>> system
>>>>
>>>>
>>>>
>>>> org.apache.geronimo.security.credentialstore.PasswordCallback
>>>> Ha
>>>> ndl
>>>> er
>>>> manager
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Note that you have to supply the password here. You can
>>>> override the
>>>> existing CredentialStore gbean in server-security-config in
>>>> config.xml or create your own, perhaps in the geronimo plan for
>>>> your
>>>> app.
>>>>
>>>> -- in the geronimo security configuration for the role, indicate
>>>> the
>>>> run-as subject (and default subject if you want one) by its
>>>> realm and
>>>> id as indicated in the CredentialStore gbean:
>>>>
>>>>
>>>>
>>>>
>>>> MyCredentialStore
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> geronimo-admin
>>>> default
>>>>
>>>>
>>>> >>> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPr
>>>> in
>>>> cip
>>>> al" name="admin"/>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> I think that other than myself you are the first person to try this
>>>> out so your comments would be definitely appreciated.
>>>>
>>>> See also https://issues.apache.org/jira/browse/GERONIMO-2687
>>>>
>>>> thanks
>>>> david jencks
>>>>
>>>> On Jul 17, 2007, at 8:15 PM, Aman Nanner/MxI Technologies wrote:
>>>>
>>>>> It would appear that the TomcatGeronimoRealm.hasResourcePermission
>>>>> (...)
>>>>> method does not apply the role if one is defined. If
>>>>> this
>>>>> indeed
>>>>> the case, then I believe this is a bug....
>>>>>
>>>>> Aman Nanner/MxI Technologies wrote on
>>>>> 07-17-2007
>>>>> 10:55:23 PM:
>>>>>
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I'm using the latest Geronimo 2.0 snapshot from the codebase. I
>>>>> understand
>>>>>> that security has changed somewhat from Geronimo 1.2. I'm
>>>>>> running
>>>>>> into
>>>>> an
>>>>>> issue where I have a JSP with a specific "run-as" role calling a
>>>>>> secured
>>>>>> EJB. This JSP has its run-as role defined in the web.xml as
>>>>>> follows:
>>>>>>
>>>>>> ----
>>>>>>
>>>>>> MessagePage
>>>>>> /common/Message.jsp
>>>>>>
>>>>>> TESTSYSTEM
>>>>>>
>>>>>>
>>>>>> ----
>>>>>>
>>>>>>
>>>>>> I have a default run-as role mapped in my geronimo-
>>>>>> application.xml in my
>>>>>> EAR as follows:
>>>>>>
>>>>>> ----
>>>>>>
>>>>>>
>>>>>> >>>>>
>>>>> class="org.apache.geronimo.security.realm.providers.GeronimoUserPr
>>>>> in
>>>>> ci
>>>>> pal"
>>>>>> name="" />
>>>>>>
>>>>>>
>>>>>>
>>>>>> >>>>>
>>>>> class="org.apache.geronimo.security.realm.providers.GeronimoUserPr
>>>>> in
>>>>> ci
>>>>> pal"
>>>>>> name="test-system" designated-run-as="true" />
>>>>>>
>>>>>>
>>>>>>
>>>>>> ----
>>>>>>
>>>>>> This used to work in Geronimo 1.2, but it appears now that the
>>>>>> JSP
>>>>>> does
>>>>> not
>>>>>> run with the run-as principal; rather it seems that it runs
>>>>>> with no
>>>>>> principals. Therefore, the call to the secured EJB causes a
>>>>>> security
>>>>>> access exception. Is this supposed to work the same way in
>>>>>> Geronimo 2.0?
>>>>>> If so, then maybe this is a problem in Tomcat ....
>>>>>>
>>>>>> Thanks,
>>>>>> Aman
>>>>>>
>>>>>>
>>>>> __________________________________________________________________
>>>>> __
>>>>> __
>>>>> ____________
>>>>>
>>>>>> * This message is intended only for the use of the individual or
>>>>>> entity to which it is addressed, and may contain information
>>>>>> that is
>>>>>> privileged, confidential and exempt from disclosure under
>>>>>> applicable
>>>>>> law. Unless you are the addressee (or authorized to receive
>>>>>> for the
>>>>>> addressee), you may not use, copy or disclose the message or any
>>>>>> information contained in the message. If you have received this
>>>>>> message in error, please advise the sender by reply e-mail , and
>>>>>> delete the message, or call (collect) 001 613 747 4698. *
>>>>>>
>>>>>
>>>>> __________________________________________________________________
>>>>> __
>>>>> __
>>>>> ____________
>>>>> * This message is intended only for the use of the individual or
>>>>> entity to which it is addressed, and may contain information that
>>>>> is privileged, confidential and exempt from disclosure under
>>>>> applicable law. Unless you are the addressee (or authorized to
>>>>> receive for the addressee), you may not use, copy or disclose the
>>>>> message or any information contained in the message. If you have
>>>>> received this message in error, please advise the sender by
>>>>> reply e-
>>>>> mail , and delete the message, or call (collect) 001 613 747
>>>>> 4698. *
>>>>>
>>>>
>>>
>>> ____________________________________________________________________
>>> __
>>> ____________
>>> * This message is intended only for the use of the individual or
>>> entity to which it is addressed, and may contain information that
>>> is privileged, confidential and exempt from disclosure under
>>> applicable law. Unless you are the addressee (or authorized to
>>> receive for the addressee), you may not use, copy or disclose the
>>> message or any information contained in the message. If you have
>>> received this message in error, please advise the sender by reply e-
>>> mail , and delete the message, or call (collect) 001 613 747 4698. *
>>>
>>
>
> ______________________________________________________________________
> ____________
> * This message is intended only for the use of the individual or
> entity to which it is addressed, and may contain information that
> is privileged, confidential and exempt from disclosure under
> applicable law. Unless you are the addressee (or authorized to
> receive for the addressee), you may not use, copy or disclose the
> message or any information contained in the message. If you have
> received this message in error, please advise the sender by reply e-
> mail , and delete the message, or call (collect) 001 613 747 4698. *
>